This post was originally entitled “SecTor 2010”, however I never actually attended the conference, so it’s not really about the conference but rather my short stay in Toronto during the SecTor 2010 conference.
Archive for the ‘hardware’ Category
After a two year absence due to unavoidable other obligations like good friends’ weddings, I finally made it back to one of my favorite hacker conferences, Toorcon. San Diego is always beautiful when I happen to be there with nice weather and a cool mix of people, both locals and visitors who are there for the conference, and this year was no exception.
This last weekend I took a trip up to Montreal for REcon. If you’re unfamiliar with REcon, it’s a small security conference focused on topics most interesting to reverse engineers. As such, the talks are more technical than you will find at other more mainstream conferences like BlackHat or DEFCON, and generally require a certain level of expertise as a baseline. If you don’t understand assembly language, you’ll probably not get much out of at least half of the lectures.
I recently purchased the Motorola Droid from Verizon, and am so far very happy with it. Other than finding the physical keyboard a bit lacking from being extremely spoiled by the Sidekick’s physical keyboard to which no other physical keyboard could ever hope to live up to, I’ve really had no complaints with the device or the Android 2.0 operating system that runs on it. I have however, noticed that touch-screen smart-phone unlock screens (not just the Droid’s) are getting progressively less secure.
It’s common understanding these days that the more factors of identification that a user has to provide to an authentication system, the more trustworthy and secure it likely is. Single-factor authentication is usually accomplished by providing something you know, like a password or PIN number.
As two-factor authentication became more and more mainstream, the two factors involved have usually been something you know, and something you have, like a credit card, crypto-key USB device, a code generated every so often by a electronic card you keep in your wallet, a smart-card that can respond directly to cryptographic challenges, or an RFID or other radio device. The most common use of two-factor authentication is how bank customers authenticate to an ATM machine; they must provide something they have, their bank card, and something they know, it’s PIN.
As cheap ways to collect biometrics have begun to emerge, these two factors have begun to shift from something you know and something you have, to something you know and something you are. This notion of something you are, generally referred to as biometrics, include things like your finger or palm print, iris pattern, voice print, or even your DNA. Using something you are to authenticate is obviously more inexpensive than providing users with something they need to have, however some more advanced authentication systems now require all three-factors for authentication.
Enter the fourth factor of authentication: somewhere you are.
DEFCON 15, in their second year at the Riviera, seemed a little more settled than the turbulent vibe from last year. Unfortunately DEFCON already seems to be outgrowing this space as a couple of the talks I wanted to see were standing room only and attendees were spilling out into the halls.
The badge this year was a large rectangular PCB with the DEFCON logo parts down the left side and the letters “DEFCON” down the right side. In the center, oriented vertically, was a mini LED pixel display which was controlled by an on-board chip. In it’s default state, the display scrolled the text “I <heart> DEFCON”, however you could program the display through various sequences of pressing your fingers to the DEFCON logo parts down the left side. The badge this year was interesting, but it definitely had some quality issues. The controls to program the scrolling LED display were too easily triggered accidentally, causing most badges to be usually scrolling one of the menu texts instead of the custom message. Also, toward the end of the conference I was seeing a lot of the badges with stuck displays, only having a couple of random LED pixels lit up on them. The badges may have also been a little over-engineered as the instructional poem in the DEFCON book alluded to being able to solder on more components like an RF transceiver, an accelerometer, and potentially some other stuff. I identified at least three different places where you could add components to the badge. There was also WAY too much information about the badge in the DEFCON book such as what types of components you could add, where to get complete source code, how to debug it, etc. This seemed way more like being led down a path than actually being able to “hack” the badge.
Due to speaking this year and having a bunch of friends from DFW in town partying and gambling I didn’t really do the DEFCON social/party thing. I didn’t even have time to attempt Caezar’s Challenge, which from what I could tell merged this year with the Ninja Networks party since the challenge was on the back of the Ninja party pass. Oh well, the couple hundred bucks I made playing BlackJack and hanging out with my DFW friends was worth it.
Out of the presentations and events I attended, here’s my thoughts:
I love Diebold, I really do… they’re a non-stop fountain of hilarity… I can’t believe they are still in business.